Your message dated Fri, 12 Jun 2009 15:33:00 +0000
with message-id <[email protected]>
and subject line Bug#525373: fixed in ntp 1:4.2.4p6+dfsg-2
has caused the Debian Bug report #525373,
regarding ntp: multiple security issues
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
525373: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=525373
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ntp
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for ntp.
CVE-2009-0159[0]:
| Stack-based buffer overflow in the cookedprint function in ntpq/ntpq.c
| in ntpq in NTP before 4.2.4p7-RC2 allows remote NTP servers to execute
| arbitrary code via a crafted response.
The upstream bug together with the patch can be found here[1]. The issue
can only be exploited by querying a malicious server and even then the
overflow is fairly limited.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159
http://security-tracker.debian.net/tracker/CVE-2009-0159
[1] https://support.ntp.org/bugs/show_bug.cgi?id=1144
--- End Message ---
--- Begin Message ---
Source: ntp
Source-Version: 1:4.2.4p6+dfsg-2
We believe that the bug you reported is fixed in the latest version of
ntp, which is due to be installed in the Debian FTP archive:
ntp-doc_4.2.4p6+dfsg-2_all.deb
to pool/main/n/ntp/ntp-doc_4.2.4p6+dfsg-2_all.deb
ntp_4.2.4p6+dfsg-2.diff.gz
to pool/main/n/ntp/ntp_4.2.4p6+dfsg-2.diff.gz
ntp_4.2.4p6+dfsg-2.dsc
to pool/main/n/ntp/ntp_4.2.4p6+dfsg-2.dsc
ntp_4.2.4p6+dfsg-2_i386.deb
to pool/main/n/ntp/ntp_4.2.4p6+dfsg-2_i386.deb
ntpdate_4.2.4p6+dfsg-2_i386.deb
to pool/main/n/ntp/ntpdate_4.2.4p6+dfsg-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Peter Eisentraut <[email protected]> (supplier of updated ntp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 12 Jun 2009 17:24:22 +0300
Source: ntp
Binary: ntp ntpdate ntp-doc
Architecture: source all i386
Version: 1:4.2.4p6+dfsg-2
Distribution: unstable
Urgency: medium
Maintainer: Debian NTP Team <[email protected]>
Changed-By: Peter Eisentraut <[email protected]>
Description:
ntp - Network Time Protocol daemon and utility programs
ntp-doc - Network Time Protocol documentation
ntpdate - client for setting system time from NTP servers
Closes: 524035 525373 525373 526086
Changes:
ntp (1:4.2.4p6+dfsg-2) unstable; urgency=medium
.
* Fixed typo in ntpdate man page (closes: #526086)
* Updated standards version
* Moved .dhcp version of configuration files to /var/lib/ntp and
/var/lib/ntpdate (closes: #524035)
* Cleaned up man pages to satisfy lintian's hyphen-used-as-minus-sign
complaint
* Fixed limited buffer overflow in ntpq (CVE-2009-0159) (closes: #525373)
* Fixed stack buffer overflow in ntpd (CVE-2009-1252) (closes: #525373)
* Use new status_of_proc function to report status in ntp init script
* Updated the config.guess/sub handling as recommended by autotools-dev to
not clutter the diff, added autotools-dev to build dependencies
Checksums-Sha1:
fef3ca75d0c840934237347bc5cd9bbfc1d5c4e6 1451 ntp_4.2.4p6+dfsg-2.dsc
c8a04b1085d921acc6df2f0650a291529b7afc1f 332372 ntp_4.2.4p6+dfsg-2.diff.gz
f8336f3b66ab42f07d4e896914703e1f4bdb8672 925866 ntp-doc_4.2.4p6+dfsg-2_all.deb
6231792e33463fd8ee9d36108d69c3c4f94964d5 431464 ntp_4.2.4p6+dfsg-2_i386.deb
58339a137c89a881b1b62673671ee8afb9b8d504 60198 ntpdate_4.2.4p6+dfsg-2_i386.deb
Checksums-Sha256:
afe6252b6a414e1a2b8b1a3f6f765944a49d1ae7647cfa00699ca9baf2131747 1451
ntp_4.2.4p6+dfsg-2.dsc
5890047cd5520ae93ff0e2fcc5a49d6bdce8980d501b71c7dc212daf2e10f00c 332372
ntp_4.2.4p6+dfsg-2.diff.gz
3a48df53132cbce85f29bb56c9dad686b523966de9b56b377e2c32138562a817 925866
ntp-doc_4.2.4p6+dfsg-2_all.deb
2eb8dfea7a8cf914c4abed50a76d4c5d75a9e87c38d2eb66da5aab22daef09b0 431464
ntp_4.2.4p6+dfsg-2_i386.deb
ba46b7945cf8f9eb9467f2230d6b5c895e923c10ae59a5d504ca135bc1749b56 60198
ntpdate_4.2.4p6+dfsg-2_i386.deb
Files:
0f7fcfeaddb0cae72345a4cd13d34eb1 1451 net optional ntp_4.2.4p6+dfsg-2.dsc
aa313cacbe56c3772e577ebe4fd88df8 332372 net optional ntp_4.2.4p6+dfsg-2.diff.gz
f7dba9542286af149e439028b13fdd47 925866 doc optional
ntp-doc_4.2.4p6+dfsg-2_all.deb
47cc18ef4027f63f47258f15c681e98c 431464 net optional
ntp_4.2.4p6+dfsg-2_i386.deb
cca431ded14df4a7383da5ff40842ac0 60198 net optional
ntpdate_4.2.4p6+dfsg-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkoyZgEACgkQTTx8oVVPtMb8QQCgujD+TFruchkwKBWkOHhAvxCz
4tkAoK9e9/GVy2E3iuoql0hU1C8AKZJz
=XNYo
-----END PGP SIGNATURE-----
--- End Message ---
